7.5
CVE-2026-39829
- EPSS 0.42%
- Veröffentlicht 22.05.2026 02:31:27
- Zuletzt bearbeitet 09.07.2026 13:17:03
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.335 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1284 Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
https://go.dev/issue/79565
https://go.dev/cl/781641
https://go.dev/cl/781661
https://bugzilla.redhat.com/show_bug.cgi?id=2480681
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39829.json
https://access.redhat.com/errata/RHSA-2026:29455
https://groups.google.com/g/golang-announce/c/a082jnz-LvI
https://access.redhat.com/errata/RHSA-2026:26546
https://access.redhat.com/errata/RHSA-2026:26547
https://access.redhat.com/errata/RHSA-2026:36319
https://access.redhat.com/errata/RHSA-2026:36207
https://access.redhat.com/errata/RHSA-2026:36625
https://access.redhat.com/errata/RHSA-2026:36648
https://access.redhat.com/errata/RHSA-2026:35833
https://pkg.go.dev/vuln/GO-2026-5018
https://access.redhat.com/errata/RHSA-2026:36199
https://access.redhat.com/security/cve/CVE-2026-39829
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:36796
https://access.redhat.com/errata/RHSA-2026:36797
https://access.redhat.com/errata/RHSA-2026:37271
https://access.redhat.com/errata/RHSA-2026:36808
https://access.redhat.com/errata/RHSA-2026:37268
https://access.redhat.com/errata/RHSA-2026:36883
https://access.redhat.com/errata/RHSA-2026:37072
https://access.redhat.com/errata/RHSA-2026:37123